How to Remove HabitsRAT

Trickbot Streals Passwords From Browsers

HabitsRAT is a Remote Access Trojan (RAT,) which was first detected when it was carrying out attacks against compromised Microsoft Exchange Servers. However, the threat's creators appear to have expanded their operation by developing a separate version of HabitsRAT, which runs on Linux machines. Both variants of the malware are written in Google's Go programing language – a relatively new trend among malware developers. The good news is that HabitsRAT is not that rich in features compared to other threats identified as RATs – its primary purpose is to enable its operator to execute remote code on the compromised machine. While it may be lacking in features, it has some interesting mechanisms to make sure that no one else would be able to use the implant – all commands sent to it must be signed with the operator's unique private key. If this piece of information is missing, the HabitsRAT will not execute the command.

The Windows version of the HabitsRAT is much more active compared to the Linux counterpart. When it is deployed to a Windows machine, the malware will drop its files by using the name 'WindowsDefenderMsMpEng.exe' – this may trick users who encounter the file into thinking that it is a part of the Windows Defender Service. Of course, the RAT also tries to gain persistence by creating a new scheduled task called WindowsDefenderScan. Once these tasks are accomplished, it will connect to one of the pre-defined command-and-control servers and wait for instructions. The communication between the HabitsRAT implant and the control server is always encrypted with the operator's private key.

The developers of this malware probably use the Go language because malware written in it are usually more difficult to detect by some automated anti-malware tools. Thankfully, such exceptions do not last for long, and you can rest assured that the HabitsRAT's attack is fully preventable with the use of an up-to-date antivirus software suite.

April 21, 2021

Leave a Reply